Local DNSSEC resolver & Containers

P J P pjp at fedoraproject.org
Tue Jul 14 13:57:55 UTC 2015


  -> https://lists.fedoraproject.org/pipermail/cloud/2015-January/004867.html

As per the previous discussion above, I was able to use iptables(8) DNAT rule to divert DNS traffic from Docker containers to a DNSSEC resolver on the host at

Please see:

  -> https://fedoraproject.org/wiki/Changes/Default_Local_DNS_Resolver#Docker_.26_iptables.288.29

One needs to enable local 'lo' routing via 'docker0' bridge and add the DNAT rule to divert DNS requests to the local resolver. Above configuration is working good on F22 with Docker version 1.6.0, build 9d26a07/1.6.0.

I'd like to hear if you have any comments/suggestions/inputs about the same. Because when the local DNSSEC feature goes live(F23), it would be required to add such configuration on the host, so that the container applications could take full advantage of the DNSSEC resolver. 

IMO, Docker daemon is best suited to make the required configuration changes on the host. Because one, it already adds few iptables(8) rules on the host. And second, it checks host's name-server settings in '/etc/resolv.conf' and copies the non-localhost( servers to the container. When localhost( is the only name-server on the host, it defaults to using Google public DNS servers inside containers. It should be fairly straight forward for the Docker daemon to enable local 'lo' routing and add the DNAT rule upon detecting '' as name-server on the host.

Your comments/suggestions/inputs are most welcome.

Thank you.

   -P J P

More information about the cloud mailing list